Landmark laws: data brokers and the future of US privacy regulation

Vermont’s new law on data brokers has revealed an expansive registry of secretive firms profiting from your corporate and personal data. As the first law of its kind in the US, privacy advocates have rejoiced – but how much will it really do to rein in this largely obscure and unregulated industry, and what effect will it have on organizations across America?

Getty Images

Data brokers have been operating in the dark for years. If you’re interested in digital privacy, the fact that your information is regularly traded by hundreds of secretive companies will come as no surprise. What’s less clear is who these organisations are, what information they store, and who exactly they’re working with. Thanks to a new state law in Vermont, companies trading in the third-party data of residents must register with the state. The resulting registry gives us a rare, passing glance into a thriving economy that operates mostly under the radar, and often with little oversight.

Data brokers have been silently providing businesses with your information for a long time. Advertising is just one of many functions: this data is used for shaping the terms of personal loans, restricting services to certain demographics, informing shadow credit scores, and much more. Until now, these practices have existed in a regulatory near-vacuum; as long as brokers stepped carefully, they could maintain what amounts to a comprehensive shadow profile of unwitting consumers.

Implemented in January of 2019, Vermont’s new law marks the first piece of legislation governing this murky industry – and the first of its kind to address the problem directly. So far, 121 companies have been registered, shedding light on an expansive and diverse array of companies from the obscure and relatively unknown to the quiet giants of the data industry.

The record of active organisations includes branches of the data giant Experian, people search engines like Spy Dialer and Spokeo, and a variety of smaller organizations that range in purpose from helping landlords vet tenants to delivering advertising prospects to the insurance industry.

Having faced strong opposition in the legislature last year, the law has since won the approval of consumer advocates who argue it’ll help normal people understand who’s collecting their data and what can be done to opt-out.

Illuminating as it may be, the registry and the entities recorded therein represent a miniscule portion of the wider data economy. The law only affects third-party data handlers – those trafficking in the data of those with whom they have no association – as opposed to ‘first-party’ data handlers like Facebook, Google or Amazon, which harvest data directly from their users.

Having set a precedent, Vermont has paved the way for state legislators to take the lead in data privacy regulation. Many anticipate the subsequent introduction of improved federal privacy protections in coming years. This article will explore the implications of this forecast for concerned consumers and data privacy professionals, as well as the consequences for organisations reliant on third-party data sources.

The problem with data brokers

If you’re not familiar with the industry, it’s no accident. Data brokers typically eschew all things consumer-facing and opt instead to harvest information on people in secret, trading it amongst themselves like the valuable asset it has become.

These companies encroach on the privacy of millions by harvesting and monetizing personal data without consumer knowledge or consent. Worse still, many fail to securely store this sensitive information, inevitably leading to data breaches like Equifax that put millions at risk of identity theft, stalking, fraud and other dangers for years to come.

By scraping public records, buying or licensing data rights, third-party brokers can assemble billions of detailed consumer profiles with thousands of classifications per individual. Often used to build audiences for targeted advertising, it’s not difficult for companies to determine if you’re pregnant, where you’ve been, what medicine you take and even how you interact with your smartphone. It can be used to identify the quality of your lifestyle, and even to establish your eligibility for a job opening.

Like the brokers themselves, the dangers here can be difficult to identify. Aside from the inherent risk of simply aggregating and storing all of this data, thorough (and often flawed) consumer profiling can lead to discrimination based on income or race in what essentially amounts to technological redlining. Troves of personal data are flowing to political parties attempting to influence voting behavior as well as government agencies tracking potential suspects. Meanwhile, people-search websites can provide a wealth of information ready to be exploited by doxxers, stalkers and abusers.

While the data brokerage industry has its advantages, there are fundamental risks involved in the blanket aggregation and sale of consumer data. This activity often infringes on an individual’s right to know and control the information stored about them, as well as the risks arising from the unauthorized or fraudulent acquisition of information. Many consumers may not be aware that these companies exist, what information they collect and what recourse there is if they wish to opt-out.

Inside the consumer protection bill

Vermont’s law seeks to protect consumers from data brokers through four distinct mechanisms:

Transparency. Brokers must register annually with the state. If a process for opting-out of data collection, retention or sale is provided, they must disclose it. They must specify whether they require credentials from their purchasers, and notify authorities of any security breaches.

No fraudulent collection. Data brokers may not collect personal information by fraudulent means, or for the purpose of fraud, harassment or discrimination. Buying or using data for criminal purposes is now its own actionable offense, though the bill doesn’t set any standards for how brokers must vet buyers and their intentions.

Free credit freezes. Credit freezes are an important way for consumers to protect themselves from the fallout of a data breach. Vermont’s law bars credit agencies from charging consumers fees for this protection.

Though it’s set to undergo various amendments in the coming months, the law doesn’t yet require data brokers to disclose who’s in their databases, what data they collect or who buys it. Nor does it require brokers to give consumers access to their own data, or even the ability to opt-out of collection altogether. You can read the full bill here.

What does this mean for enterprise security?

The bill has been meticulously written to reduce the potential for circumvention. Rather than focusing on specific definitions – which could be exploited or avoided – policymakers focused on the activity and behavior of the companies in question. This means that lots of companies – not just those that identify as brokers – will find themselves affected by the law’s broad definition.

“‘Data broker’ means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the personal information of a consumer with whom the business does not have a direct relationship.”

In simpler terms, any organisation that collects data second-hand and sells it on will be obligated to comply. This leaves little room for any legitimate brokers to escape the designation. If other states look to model future legislation on Vermont’s bill, it’s likely that many companies across the country – broker or otherwise – will find themselves forced into compliance.

As affected businesses begin to register and disclose key information for the first time, consumers will be able to identify which processes they can exclude themselves from and how. If they’re ever the victim of a crime involving brokered data, they now have legal recourse.

Data security and access controls at every affected organisation will have to be vetted to ensure they meet a minimum standard. New rules governing data breaches mean authorities must be promptly notified if any personal data is leaked in spite of these increased security measures. This has broad implications for security standards across organisations nationwide if Congress – or any other states – choose to model future legislation on Vermont’s trailblazing bill.

Next steps

Now that the first registrations are in, officials and advocacy groups are planning to review the listed companies to get a better sense of who’s operating in the industry, how accommodating they are to consumers who wish to opt-out, and whether any further regulation is necessary.

Though it’s a good first step, there are several rules that are still on the wish list for the privacy-conscious in Vermont and around the country. Under the current law, a consumer can only learn which brokers are operating in the state, as well as a few general facts about those operations. There is nothing appealing to a consumer’s “right to know” – that is, what information is harvested, how it was obtained, and to whom it is sold. Similarly, there is no legislation obligating companies to provide the ability to opt-out.

Furthermore, the bill does not require any form of consumer consent for the collection or sale of personal information. This is especially concerning when considering biometric data, and the ability of organizations to collect or sell this information without active and informed consent. While minimum security standards are a strong – if long overdue – addition, consumers are still unable to access and review what data is stored, or bring legal action against companies that violate the law.

Tips for opting-out

Given their typical obscurity, it can be difficult to know where to begin the process of opting-out – assuming the option exists. It’s likely most consumers will have to contact each organization individually through whatever opt-out systems can find.

Unfortunately, U.S. law does little to regulate most companies that deal in data, leaving consumers with few guarantees. Eventually, we might see additions like the right-to-know, right-to-be-forgotten and other protections granted to citizens of the European Union under the General Data Protection Regulation (GDPR). For now, there is relatively limited recourse for those looking to shield themselves from the brokerage industry.

Contact each company individually. To remove yourself from a specific database, consult the filing history of the companies listed in the new registry. This will provide details from the company on how to opt-out – provided they allow you to. There are various online guides listing common opt-out procedures which may be useful here.

Report violations. If you’re worried about how an organisation is collecting or managing your data, you can file a complaintwith the Federal Trade Commission (FTC). In recent years, the FTC has issued millions of dollars in penalties over unlawful behavior by data brokers and credit agencies.

Manage online behavior. Though it’s not ideal, limited federal regulation means it’s often up to the individual to police their online behaviour to minimise the amount of data leaked. You can limit your data loss by adjusting your privacy settings, deleting unnecessary applications, using tools like a VPN or script-blocker and restricting what you post online.

One small step...

Vermont’s law offers plenty to celebrate for those concerned about information security. It’s the first legislation by any American state to force data mining out of the shadows, and undoubtedly begins the process of regulating data brokers on a larger scale. It illustrates the opportunities available for state legislators to take the lead in protecting consumer privacy, and demonstrates why Congress must not hastily enact a weak privacy law that pre-empts stronger legislature on the state-level.

That being said, in many ways, these regulations are more symbolic than substantive. Many have argued that the law establishes inconsistent restrictions on data use by third-parties in comparison to those imposed on first-party data handlers. The law still leaves search engines, telecoms and social networking services relatively untouched. This means that some of the businesses most closely associated with controversies around personal data are still outside the purview of the law, even if they sell access to consumer data.

Though small in its direct impact, Vermont’s law is undoubtedly significant for the future of consumer privacy and information security in the US. Other states are likely to look to Vermont as they begin to shape their own approaches to data regulation.

If similar legislation proliferates across the country, it’s likely to have huge implications for large enterprises and security professionals everywhere as organizations look to ensure compliance. It’s possible the federal government will pass its own data privacy legislation in coming years – something that’s been backed both by privacy groups seeking comprehensive protections and by industry leaders looking to avoid the cost of compliance with 50 different state policies. However these laws eventually take shape, data compiled through Vermont’s registration scheme is bound to influence both federal and state lawmakers in years to come.

William Chalk is a cybersecurity journalist and senior researcher at digital privacy group Top10VPN. He writes about the intersection of cybersecurity and culture, and covers global developments in censorship and digital freedoms.